Infrastructure as a Code – Introduction

Lately I’m learning a new concept called infrastructure as a code (IAC), so I decided to blog about my learning.

what is IAC

What if we can manage our network devices like developers manage code, have version, automatic testing, code verification etc’? IAC tries to change how we manage our infrastructure, and provide the benefits that programmers have to infrastructure.

why do we need IAC?

Has many network engineers knows if you want to make a change to your network there are steps you need to go through:

Schedule a maintenance window

Create and approve a work plan

Start the maintenance window after hours

Push the new configuration to the devices (hope you don’t have a typo, didn’t do any mistake etc’)

Perform testing

Wait for other teams to complete their changes and testing

Summarize for tomorrow on call engineers the result

hopefully a few hours into the end of the maintenance window you go home.

In the present role of infrastructure the changes are more frequent and at larger scale, we need to adjust how we do our day to day job, to make the changes more reliable, and faster. We as a infrastructure engineers (Network, System, Storage, Security, etc’) if we want to compete with the public cloud we need to change the way we manage the infrastructure.

The traditional way

Lets examine a simple idea managing VLANs in our data-centers.
Probably we have more than one environment, DC, DMZ and maybe more.
We have an excel spreadsheet or IPAM.
We want to add a VLAN:

SSH to each network device

create the VLAN, name it

allow it on the trunks, and on the access ports

Check that nothing brakes

Document the change

The IAC way:

Add the VLAN to the VLANs DB, choose the environment for the VLAN.

Deploy the change to a test environment, fire automatic tests.

Deploy the change to production, fire automatic tests.

Automatic documentation.

if the deployments fails rollback to previous version.

Does it means we need to be programmers?

No, you need to have basic programming skills (for loops, ifs etc’), but you don’t need deep knowledge at the programming area, you need to learn how to work with new tools.

Tools skills and concepts

Inventory

We need to create an inventory contains all the assets we manage and their properties (built in most tools), can be integrated to an existing inventory management (Solarwinds, Prime etc’)

Configuration system

We need a Configuration system that will push the changes to the assets, I’m using Ansible, but there are more like Chef, Puppet and more

Orchestrator

The Orchestrator is more advanced, it will enforce the state of the devices, push the configuration, react to changes in the state and more, example Salt.

Repository

You will need a repository for code reviewing, keep tracks of changes, etc’, I will use GIT.

I will use an additional tool called NAPLAM (Network Automation and Programmability Abstraction Layer with Multivendor support).

there are more tools but I think those are the most basic ones.

Frequent mistakes

“We don’t have an API”

A lot of time Network engineers tell me that it’s all good but the infrastructure isn’t ready for it, the network devices doesn’t support APIs, most of the tools are capable of working with the network devices using SSH, it’s less optimal but it works.

“We don’t have a budget for the tools”

There are a lot of open-source tools that you can work with, they works just as good probably you won’t have a fancy GUI, for example you can use Ansible and not Ansible-Tower, You can use Salt without Saltstack etc’

Update

About Omer Shtivi

Omer Shtivi, CCIE #51906, has over nine years in the network industry, working for an Israeli reseller in the last six years. Omer has done projects for large enterprises, in many technologies using various vendors.
Lately he is exploring automation and orchestration technologies.

You can reach Omer:
omershtivi1989@gmail.com
https://www.linkedin.com/in/omershtivi/